Hi Markus,
When you say authentication does not work, do you mean Kerberos
authentication or Kerberos and NTLM ? Can you add a -d for debug to the
Kerberos authentication helper and provide the log file messages ?
Can you also provide the content of the keytab ?
Regards
Markus
"Markus Sonnenberg" wrote in message news:56C1C720.5030804@xxxxxxxxxxx...
Hi,
i've set up a CentOS 7 machine with Squid 3.3.8 and kerberos/ntlm
authentication in order to replace our older Squid Proxy.
The new Squid server runs fine and authentication is working as
expected. We use group policies to set proxy server address at terminal
servers and workstations,which is "proxy.company.com". This address is
an A record and currently points to the ip address of our old proxy
server. The hostname of our old proxy server is "euprx001.company.com"
and the hostname of our new proxy server is "euprx101.company.com"
When I change the A record for "proxy.company.com" pointing to the ip
address of our new proxy server then authentication is not working.
proxy.company.com 10.222.40.106
euprx101.company.com 10.222.40.106
Authentication work if internet explorer uses the real host name but it
does not work if uses "proxy.company.com"
Gues what, this A record is pointing currently to our old proxy server
and works fine regardless if internet explorer connects to proxy... or
euprx001....
Here's the current config I'm using on our new proxy server.
<snip>
# Network Options
#
+-------------------------------------------------------------------------+
http_port 8080
icp_port 0
offline_mode off
# Administrative Options
#
+-------------------------------------------------------------------------+
via off
cache_mgr edc.helpdesk@xxxxxxxxxxx
cachemgr_passwd ap0ll0 all
cache_effective_user squid
cache_effective_group squid
# cache_dir rock /cache 40000 max-size=4194304 slot-size=32768
cache_mem 6144 MB
memory_pools on
pid_filename /var/run/squid.pid
ftp_user anonymous
ftp_passive off
check_hostnames off
request_header_max_size 20 KB
snmp_port 3401
shutdown_lifetime 2 seconds
maximum_object_size 1048576 KB
maximum_object_size_in_memory 10240 KB
forwarded_for on
snmp_incoming_address 0.0.0.0
workers 4
error_directory /usr/share/squid/errors/TTI
deny_info ERR_AD_REMOVED AdServer
deny_info ERR_BLOCKED_FILES BlockedFiles
deny_info ERR_BLOCKED_SITES BlockedSites
deny_info ERR_BLOCKED_SOCIAL BlockedSocialnet
deny_info ERR_BLOCKED_WEBMAIL BlockedWebmail
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=DE.COMPANY.COM --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=10 idle=10
auth_param negotiate keep_alive on
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=DE.COMPANY.COM
auth_param ntlm children 10
auth_param ntlm keep_alive on
### provide basic authentication via ldap for clients not authenticated
via kerberos/ntlm
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=DE,dc=COMPANY,dc=COM" -D SVC_Squid@xxxxxxxxxxx -W
/etc/squid/ldappass.txt -f sAMAccountName=%s -h euads201.de.company.com
auth_param basic children 10 startup=0 idle=1
auth_param basic realm Company, Inc. European Web Proxy
auth_param basic credentialsttl 120 minute
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R
-K -S -b "dc=DE,dc=COMPANY,dc=COM" -D SVC_Squid@xxxxxxxxxxxxxx -W
/etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)
(memberof=cn=%g,cn=Users,dc=DE,dc=COMPANY,dc=COM))" -h
euads201.de.company.com
# Logging
#
+-------------------------------------------------------------------------+
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/squid-cache-access.log squid
# Refresh Pattern
#
+-------------------------------------------------------------------------+
refresh_pattern ^http://.*\.gif$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.png$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpg$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpeg$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.bmp$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.gif$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ico$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.swf$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.flv$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.rar$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ram$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.txt$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.css$ 10080 100% 120960
reload-into-ims override-expire ignore-reload
refresh_pattern ^http:// 1 100% 20160
reload-into-ims ignore-reload
refresh_pattern ^ftp:// 10080 100% 120960
refresh_pattern ^gopher:// 240 40% 20160
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 100% 20160
reload-into-ims
# Access Control List
#
+-------------------------------------------------------------------------+
### acl for proxy auth and ldap authorizations
#
# aclname acltype typename activedirectorygroup
acl snmppublic snmp_community public
acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.7
Java/1.8 Java/1.9
acl auth proxy_auth REQUIRED
acl AdminAccess external memberof "/etc/squid/group_admin.txt"
acl BlockedAccess external memberof "/etc/squid/group_blocked.txt"
acl RestrictedAccess external memberof "/etc/squid/group_restricted.txt"
acl StandardAccess external memberof "/etc/squid/group_standard.txt"
acl FullAccess external memberof "/etc/squid/group_full.txt"
acl AdServer dstdom_regex "/etc/squid/dst_adserver.txt"
acl BlockedSites dstdom_regex "/etc/squid/dst_blocked.txt"
acl BlockedSocialnet dstdom_regex "/etc/squid/dst_socialnet.txt"
acl BlockedWebmail dstdom_regex "/etc/squid/dst_webmail.txt"
acl AllowedSites dstdomain "/etc/squid/dst_allowed.txt"
acl noauthsites dstdomain "/etc/squid/dst_noauth.txt"
acl dontcache dstdomain "/etc/squid/dst_dontcache.txt"
acl BlockedFiles urlpath_regex "/etc/squid/blockedfiles.txt"
acl vlan3042 dst 10.222.42.0/23
acl vlan3044 dst 10.222.44.0/23
acl vlan3247 dst 10.222.247.0/24
acl SSL_ports port 80 87 443 446 447 481 482 563 1494 2598
6400 8020 8443 9250 9443 10000 10020 44300
acl Safe_ports port 21 70 80 210 210 280 443 446 447 481 482
488 563 591 666 777 1025-65535
acl CONNECT method CONNECT
### cache directives
cache deny dontcache
### snmp_access rules
snmp_access allow snmppublic
### http_access rules
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
# enforce authentication, order of rules is important for authorization
levels
http_access allow Java
http_access allow noauthsites
http_access deny !auth
http_access deny AdServer
http_access allow AdminAccess
http_access deny BlockedAccess all
http_access deny BlockedFiles
http_access allow AllowedSites
http_access deny RestrictedAccess all
http_access allow FullAccess auth
http_access deny BlockedSites
http_access deny BlockedSocialnet
http_access deny BlockedWebmail
http_access allow StandardAccess auth
# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all
# The End
#
+-------------------------------------------------------------------------+
You have new mail in /var/spool/mail/root
</snip>
best regards
Markus
ct,
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users